The IT Lifecycle: Rolling out IT policies

As business leaders grow their companies, corporate assets should always be top of mind.

As such, business leaders should be implementing IT policies early on, in order to set standards and expectations for employees when it comes to the use of corporate technology and managing corporate data.

In parts one and two of this three-part series, I rolled out a playbook on when companies should hire their first “IT” consultant and what to keep in mind when appointing a CIO. In this third and final part of the IT Lifecycle series, I’ll discuss when companies should start rolling out formal IT policies and how to do so.

In the case of Joe Smith, the CEO of Joe’s Widget Shop, his software startup business is expanding, requiring him to make significant IT investments for his employees. He has now set up an office network and has purchased laptops for each one of his employees. Joe is now evaluating when and how to build out more formal IT policies to set rules and standards for his employees.

When to Rollout Formal IT Policies

The emergence of new laws, technologies, regulations, and operational or compliance needs are all policy development triggers, but it’s important to consider that part of the “when” question can be industry specific, and not solely dependent on headcount. For example, a large construction company that has few employees in the office and most of its employees out in the field probably doesn’t need the same types of IT policies as Joe’s Widget Shop, which is a small tech company with employees on computers all day long.

When implementing formal IT policies, it’s important for Joe to specify the structure and criteria for how each IT policy, guideline or standard should be categorised. Joe should also outline a process for initiating, reviewing, approving and revising IT policies. This includes having a plan in place to manage ongoing roles and responsibilities associated with IT policy development and maintenance.

One common mistake to avoid is repurposing previous examples of IT and security policies found online or “borrowed” from a previous job. Instead, it is important for Joe to take the time to create a custom policy, which aligns with the needs of his particular business.

How to Lay Down the Law

Without written policies, there are no standards to reference. It’s important for Joe to note that policies should clearly define “acceptable use” for both company-owned and employee-owned technology.

But just defining policies isn’t enough. It’s essential that Joe educates employees on the proper process and protocol for using corporate equipment and technology, and should also tie it into the overall security strategy of the organisation. When establishing IT policies, Joe should outline password requirements, levels of access, confidentiality, restricted third-party or shadow IT applications, and best practices for malware protection.

Instead of just listing out rules, Joe should also provide comprehensive guidelines for things like network configuration, onboarding new employees and setting permission levels for employees. There should also be guidelines outlining how to handle certain IT issues, specifying points of contact for employee technical support, maintenance, installation and long-term technology planning.

Bottom Line

Finally, in order to ensure compliance among all employees, it’s important for Joe to communicate the reasoning behind these rules and structure. Employees will be more diligent about doing their part to be compliant, once they have better insight into the rationale and benefits behind such policies. Joe should stress that these rules are in place to protect the business and company assets.

Policies and procedures are often given little attention until something goes wrong, but there’s no reason to wait.

Avoid potentially costly problems by establishing clearly defined policies in advance of any mishaps so that you can help ensure that your organisation and its assets are secure and compliant.